Microsoft has spent billions of dollars in recent years to secure its software. Now it's payback time.

Until recently, security was just something that the software company got hammered on--a perennial headache, with no upside. But now, four years after Chairman Bill Gates launched his Trustworthy Computing push, Microsoft is starting to see security as a potential selling point.

Last month, Windows chief Jim Allchin pointed to enhanced security as the top reason customers should move to Vista, the update to the operating system due this year. The software maker estimates that a third of its engineering time for the new Windows was spent on protective measures.

"There is a shift that we are seeing," said Mike Nash, the executive who heads Microsoft's security business. "As we're still making progress and still being scrutinized, we're also hearing that companies want more from us."

Though challenges remain, the opportunity for Microsoft is huge. The Yankee Group in January pegged the unsecured PC market--computers without antivirus software or that have lapsed antivirus subscriptions--as worth $15 billion. Enterprise customers already spend $3 billion a year on security, the analyst firm noted.

"What's driving Microsoft's investments? Money, of course," Yankee analysts said in their report. "These markets are collectively too large for Microsoft to ignore any longer."

Any revenue would help boost the return that Microsoft is getting on its investment in security, a push that Pescatore said costs the software maker hundreds of millions of dollars per year. The company has also been on a shopping spree that began with its 2003 purchase of Romania's GeCad and includes at least four other security software makers.

Gaps in security
A few years back, security was nothing but a headache for Microsoft and all customers wanted from the Redmond, Wash., company was software with fewer holes.

And not everyone is keen on the idea of paying Microsoft to help secure the products it created. Businesses, in particular, are questioning the move, Gartner analyst John Pescatore said.

"'Wait a minute--Microsoft's software is causing the problem, and now they want me to pay extra to fix the problem?'" Pescatore said, summing up the reaction of some corporations to Microsoft's move toward selling security software.

While businesses may still be somewhat loath to pay Microsoft for security, Pescatore said that the company's reputation has improved from the days when the SQL Slammer and MSBlast worms dented it.

"They have spent three or four years taking security seriously," he said. "They have basically removed it as a liability compared to the Linuxes and Solarises."

Pescatore contrasts Microsoft's efforts with those of Oracle. While Microsoft has been improving its reputation, Oracle, he said, has largely been standing still and is losing its once-sterling reputation for security.

Even John Thompson, CEO of Symantec, has had to praise Microsoft's efforts. In a speech at last week's RSA Conference, Thompson noted that there were 100 attacks that posed a medium or high risk between 2002 and 2004, but only six such attacks last year.

"The broad adoption of firewalls and antivirus and intrusion detection software, and the progress quite frankly made by Microsoft in securing their operating platform, has made this possible," Symantec CEO John Thompson said last week. "Yes, I did say that," he added, to laughter from the crowd.

"'Wait a minute--Microsoft's software is causing the problem, and now they want me to pay extra to fix the problem?'" Pescatore said, summing up the reaction of some corporations to Microsoft's move toward selling security software.

No... not everyone... just all the anti Microsoft folks here at News.com.

The bottom line is that security costs money.No matter what system you implement, you will either invest:

A) Your Time/Money to secure the system(s)B) Your money and somebody else's time

If there is no money to be made in security, then NOBODY will have a (more) secure system unless they do it themselves. Its just that simple.

Now, if you want to pay Symmantec or some other AV company to secure your Mac or Windows box... that is an option.

You could also pay a bazillion dollars to have IBM send a security expert out to help make your system(s) safer.

Some could easily argue that Microsoft is perhaps the most intimately knowledgable of security issues in Windows.

ALL operating systems have security issues. This is not an arguable point, and I intentionally did not say security "flaws." It costs money to redesign or rebuild components that need to be secured against continually maturing threats. To date, OS companies have provided security updates free of charge, and I don't see this changing.

However, as we all know... no matter what OS you use or how often updates are made available, if you HONESTLY care about security, you have implemented additional security measures... at your own expense.

Because this is a profitable market and will continue to be so no matter how much emphasis is placed on securing operating systems, it only makes sense for a business to recover its costs by offering a security product.

The alternative, is to let the expense of developing patches grow until it becomes a major headache for Apple, Microsoft, and yes... OSS.

I can't stand these safety and security commercials. It's importent but I would rather have a good tool then someeone else 'ensuring' my security. It sounds like all the sci-fi novels. Choice is most importent especially with security software as I don't really want an OS manufacturer trying to do that alone. AdWare was actually prety nice but invasive on my system as Linux offers more subtle tools.

Personally I would not buy microsoft security products. I would like symantec or mcafee to provide me the security software for my machine.

I will look at Microsoft security products, if they provide better value for the money and Symantec and Mcafee suck.

To Microsoft's credit, they are spending ton of money to make their OS better and secure. Hardly these days we see 'Blue Screen Of Death' or major virus attacks. I have not had any issues after installing windows xp service pack 2.

MS software is not the problem, malware writers are. Patches for flaws are and always been free. Also you don't need any flaw to have a virus infect you. They don't have to take advantage of any flaw at all. There is much a os maker can do to prevent you to run an executable that you donwload or get in an email or bring on your own floppy. That's what computers are design to do, run executables. The av look at it and determines it's up to no good and prevent you from runing it. That's not something you can do with the os, cause you cannot know before hands the the malware that'll written in the future. So it's really disingenious to say that they sell you a deffective product and make you pay o fix it.

Prior to the development of PC's and Microsoft, Operating systems were required to provide security. Microsoft has fooled the world by coming up with a basice OS and then charges for the things that it should be including anyway. When you total the OS cost, support cost and additional programs for security, spam and other protections, is the Microsoft and less expensive or has it used the Wal-Mart philosophy.

Thats laughable, security as a function was never really important till the network age and the age of the internet while they might of provided minor security i doubt the provided any security of what is considered today "secured!" Microsoft has had many problems as it relates to security but apple was no-where near as secure as lets say a UNIX distrobution at that time. Hell i dont even think encryption became important (except for maybe mainframes) in personal computers until the internet age.

And i doubt a large number of people will buy into this service. I wont i like to incorporate many vendors, platforms and tools. No point in being a 100% microsoft shop.

Also wal-mart is preadatory to the industry at large forcing bussiness that they work with to sell the product at the price they want, killing small bussiness under the guise "The lowest price", if your a software developer its bull if you are not creating stuff because of microsoft. People create stuff all the time in spite of larger corporations. This is called competition there is a global marketplace and while microsoft may create a clone of your software its just competition, Real monoplies are compaines that can not compete because they do not have a fair chance in the market because some one can delegate who can do what. Microsoft can not in fact it would be debiliatating to thier core market which is to sell a consumer friendly OS. Linux exists, Solaris Exists insert your favorite OS here exists. They have as much competition as you can think, and many have to force microsoft to look and see that they do not have control over the market anymore. Linux is a good example, what is it going to take to get you off linux, or to not make you go to linux is how they view the product. Microsoft also makes product that interoperate with other operating systems, for example Sevices for Unix can talk to linux/Unix boxes and send direcrory information back and forth. They give away most of these style tools for free. Linux combats this with offering FOSS, thats great but sometime FOSS products are not up to par with propritary products AD intergration is a good example.

Sounds like the old protection racket, just made to look prettier! Pay me for protection or else who knows what will happen to you!? If ever there was a time for a split of Microsoft this is a clear indication of it! They are now going to charge for what should have been a quality OS to begin with!!

...at least the beta hasn't been. The anti-spyware catches far less than the free Spybot or even AdAware, and remains very glitchy. The anti-virus is of relatively better quality although still not quite up to the free product offerred by AVG. The firewall seems relatively competitive with the free products available, but firewalls are the easiest to program of the basic three componants. I just don't forecast the huge tonnage of savvy consumers throwing tons of dough at Microsoft for their security suite that Microsoft does, is all. Where Microsoft may gain some momentum before selling a $50 security suite is by locking down such core programs to their operating systems as their browser - and by trialling their beta IE#7, this doesn't seem to be in the offing anytime soon. I figure they best lock their operating system core programs down tight before they have any reasonable chance of motivating a large number of folks to spend $50 on a security suite.

"They have spent three or four years taking security seriously," he said. "They have basically removed it as a liability compared to the Linuxes and Solarises."

Now let's get back to the real world. Windows to this very day is the undisputed champion of hosting malware of any size, shape and form, be it viruses, trojans, spyware, key-loggers, you name it, Windows has it in spades. More so than any other platform, period. And that's putting it mildly. MS cannot escape this essential factoid.

Sure, maybe they have taken the last four years taking security "seriously" which, coincidentally, happens to be just about MS's gestation period for correcting security lapses in it's software and getting it into users hands. When did MS finally ship Windows with all ports closed by default? Why, it wasn't until Window's XP SP2! Given that Windows XP (which was essentially Windows 2000 in a new suit) first appeared on the market around 2001, that's about, oh, 4 years or so of "taking security seriously."

And of course there is IE 6, a security travesty rotting away on every single Windows box for those who haven't had the good sense to install Firefox. MS's answer to that problem is the forthcoming IE 7, which is apparently still in development. IE 7 touts major improvements to security, well, we'll see. But how long has it been since the release of the last version of IE 6 and IE 7? Well, the clock is still ticking on that one, but if it meets it's current approximate schedule for release, it will be about another half-decade of "taking security seriously."

The fact is, the only time MS takes security seriously is when their users scream about it. Even then, MS will not initially respond with the goods. Their users must continue to scream in agony about the same damn issue for YEARS before MS effectively gets around to it...err, I mean "takes security seriously."

So is it of any surprise at all that the security software industry is now a billion dollar industry?

i.e. MS anti-spyware product was quick to introduce problems, if I remember correctly it had an issue where spyware could use the antispyware service to infect a PC via a backdoor or something. Or how about MS buying a purveyor of spyware, Gator (Claria) and suddenly MS's antispyware no longer detects and removes Claria spyware products?

Who in his/her right mind would trust Microsoft to do anything other than ram it to ya?

Symantec, Mcafee, and even Trend Micro have had security issues with their software, and they are supposed to be the experts in the field. Just goes to show you that no software is completely fullproof.

You asume that all problems can be fixed with one opperating system. Ha, security in any OS will be wayward, MS, LINUX or Macintosh. Last i heard MAC's are now what MS was back in 1995. While mac is gaining adoption it will also suffer its bouts of security headaches. Besides why pay for the OS its built on BSD which is free and probably built more secure and stable.

Not to mention if you want to talk about unable to write software for look at the mac that is far more propriatary then microsoft, IBM and Novell combined. Have to buy a license to write and sell a piece of hardware.

Stop spreading FUD seriously your lack of fact in the arguement just shows that your a zealot.

your computer came secure from boot up to boot down great for you. Right, Its hard to be a general purpose OS because you got JOE dipstick who thinks running as administrator with no AV and no idea what deleteyourfiles.exe does. The problem does not only lie with windows, but also with computer users at large.

What is linux?

Linux is a geeks tool, while anybody can use it - it is for now a geeks tool. MS has to make a OS that people can use, because if they made it to secure dumb ***es would complain and so great i can not use it. MS has this Damned if you do, damned if you dont. And i think the secuirty features in Vista are good however i think joe sixpack is going to hate it. Remember not everyone is a geek, and when security comes in the way of usability the consumer at large losses. Besides if you know how to run any OS it is secure. But it takes knowlege, If you setup your computer right with any OS you do not have to worry about this problem. But as long as people run with root we will always have these problems, as long as system cracks who think thier admins we will always have these problems.

... of making their efforts self-funding if not potentially self-funding. For example:

1. Since it cost so much to keep Microsoft products documented, Microsoft introduced subscription options to own updated copies of the documentations.2. Since it costs so much to defend against copyrights and patent claims filed against them, Microsoft start piling up their own patents which, to over-simplify my point, are valuable when used for license rights and royalty claims.3. Since it costs so much to secure Windows, might as well add some value to the effort and sell security as a product.

Report offensive content:

If you believe this comment is offensive or violates the CNET's Site Terms of Use, you can report it below (this will not automatically remove the comment). Once reported, our staff will be notified and the comment will be reviewed.

E-mail this comment to a friend.

E-mail this to:

Note: Your e-mail address is used only to let the recipient know who sent the e-mail and in case of transmission error. Neither your address nor the recipients's address will be used for any other purpose.